Guarantees for ensure clauses with malicious participants

cocreature · June 17, 2022, 12:47pm

Usually, Daml users expect that the ensure clause holds for every active contract because it’s checked at creation time. However, because it’s only checked at creation time, I’m wondering what guarantees we get in the presence of malicious submitters. Consider this case:

Party A is hosted on participant PA, Party B is hosted on participant PB.
Party A hacks their participant to allow creation of a contract they’re the only stakeholder on which violates the ensure clause.
Now Party A submits a transaction that fetches that contract and that fetch is divulged to participant PB (because B is a witness).

Does participant PB check that the ensure clause holds as part of model conformance and reject that transaction or is it accepted?

Andreas_Lochbihler · June 17, 2022, 1:41pm

The current Canton implementation has the documented limitation that the submitting participant is honest, so this question is a bit outside of the currently provided scope. Long-term, the virtual shared ledger contains only model-conformant actions and ensures clauses are included in model conformance. So if party B is honest, it will not see a contract on the ledger that violates the ensures clause. Implementation-wise, PB will check the ensures clause.

cocreature · June 17, 2022, 1:41pm

Thank you!

Topic		Replies	Views
What happens if a bad guy in a Canton setup Questions canton	3	204	March 15, 2022
Role of maintainers for Canton Contract Keys Questions canton , contract-keys	1	194	March 9, 2022
How Daml guarantees immutability in a centralized setup? Questions daml , daml-on-sql	3	208	March 31, 2022
`Update` in `ensure` clause Questions	1	421	April 14, 2020
Canton VIP confirmation policy Questions canton	2	296	June 9, 2022

Guarantees for ensure clauses with malicious participants

Related Topics